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1. Introductions and apologies 
Leds There were apologies from James Edmands of the NAO 
and from Alison Langridge of BDO who were both unable to 
attend. 
2. Declaration of interests 


2.1. There were no declarations of interest. 


3. Action points from the Audit Committee meeting of the 
8 December 2014 


3.1. The minutes were presented for information. They had 
been cleared by correspondence and there were no specific 
matters arising from them. 


3.2. The Committee was pleased to see that all of the action 
points had been cleared. Members expressed the view that 
they would expect this to be the case for all meetings unless 
there was good reason for a delay. 


4. Commissioner’s update 


4.1. Christopher Graham provided an update on matters 
affecting the ICO, linking this discussion with the risk register 
which was also presented. Matters raised included: 


4.1.1. The office was awaiting the final Triennial Review 
report, due shortly. Once received the report would be 
considered in detail. 


4.1.2. Section 56 of the Data Protection Act had now been 
commenced. The section outlawed enforced subject 
access, which is when organisations force people to make 
subject access requests for information the organisation 
wants. This commencement followed an almost twenty 
year campaign. 


4.1.3. The Government had also announced the removal of 
the PECR enforcement threshold from April. The threshold 
had been making it very difficult for the ICO to take 
enforcement action for PECR breaches. 


4.1.4. The ICO’s annual Data Protection Practitioners’ 
Conference had been held in Manchester on 2 March and 
had been very successful. 


4.1.5. The Intelligence and Security Select Committee was 
due to publish a report on surveillance on Thursday. 


4.1.6. The office was expecting the Supreme Court Judgment 
in the Prince of Wales letters case. The issue was whether 
or not Ministers had a right of veto under the 
Environmental Information Regulations. The ICO would be 
considering the different scenarios which might arise from 
the case. 


4.2. Of prime concern was the current industrial relations 
dispute with PCS over the July 2014 pay award. There had 
been five days of strikes, and a work to rule and overtime 
ban were in place. It was clarified that the dispute was being 
supported by the national PCS. Half of the ICO staff had 


accepted the pay deal and will receive pay arrears due in 
their March salary. The Committee noted that the internal 
audit plan had a particular focus on staff engagement which 
might be helpful. 


Action point 1: Christopher Graham to provide a copy 
of his recent blog on pay to the Committee. 


4.3. The risk register was discussed, in particular the IT risk. 
It was suggested that the Executive Team might consider 
whether or not to split the current IT risk. The Committee felt 
that there were two elements; the internal systems and public 
facing services. 


Action point 2: Simon Entwisle to consider further the 
IT risk and to update it if thought appropriate before 
the April Management Board meeting. 


5. Finance 


5.1. Simon Entwisle and Heather Dove introduced the 
various finance issues coming to the Committee. 


January finance report 

5.2. An end of year underspend, although a risk, was 
thought unlikely. Whilst data protection fee income continued 
to increase above expectations, expenditure on various IT 
projects in the run up to year end, and on accommodation 
work aimed at reducing future dilapidations on the Wilmslow 
property, mitigated the risk. 


5:3: The Committee suggested that the ICO needed to think 
more strategically about the continuing rise in registration 
fees. There were two issues; that of ensuring that the legal 
requirement for data controllers to register was enforced and 
that the fee be set according to the number registering and 
the cost to the ICO of undertaking its data protection work. 


5.4. It was already the case that the ICO targeted high risk 
organisations in respect of registering, for example in 
checking organisations complained about. The new EU 
regulation was also expected to remove the duty to register 
at some stage in the future. 


Action point 3: Simon Entwisle to consider the ICO 
strategy in respect of registration fees and to report 
back to the next Committee meeting. 


5:5: The finance report for February was made available to 
the meeting. It had been finalised after the papers had been 
circulated. The basic message was the same as for the 
January report. 


The new finance system 


5.6. Heather Dove advised that the new finance system had 
successfully gone live on 1 February. Data had been migrated 
over from the old system and it was the intention to use the 
new system to prepare the annual accounts. 


5.7. Audit Committee thanked Heather Dove and the Finance 
Team for their hard work and the achievement of bringing in 
the new system ahead of schedule. 


5.8. There was more work to do, and the biggest change for 
budget holders would be noticed in April with new reporting 
capabilities and month end procedures. 


5.9. A new purchase management system would be brought 
in over the summer. 


Civil monetary penalties 


5.10. The ICO advised that the Data Protection Act would 
need to be amended to allow the ICO to retain an element of 
civil monetary penalties (CMPs) collected to pay for the work 
involved in chasing unpaid CMPs. The NAO had provided 
examples of organisations which already did this but they 
were not constrained by the same legislation as the ICO. The 
office was ready to push this forward if and when a legislative 
opportunity arose. 


5.11. The recently announced changes to the PECR (coming 
into effect in April) and the likelihood that this would lead to 
more penalties being issued, was recognised. Guidance was 
being updated and Enforcement was ready for the change. 


. Integrated assurance 


6.1. Simon Entwisle updated the Committee on the 
Integrated Assurance project. Leadership Group had 
considered the results of the most recent exercise in January. 
It was thought that the project had been successful in 
highlighting areas of both good and bad practice and in 
coming up with actions aimed at improving performance in 
the areas targeted. The next self-assessment would be in the 
summer and would target HR related measures. 


6.2. The Committee asked whether or not the project was 
meeting expectations. One of the original drivers for the work 
had been to reduce the cost of internal audit with the ICO 
being clearer about its own internal controls; however the 
project was targeting different areas each time. 


6.3. Simon Entwisle considered that the project was 
currently proving very useful, but its value would be 
constantly reviewed. 


. Planning and budgeting for 2015/16 


7.1. The draft ICO Plan 2015-2018 and the budget for 
2015/16 were presented for information. In respect of the 
ICO Plan, it had been consulted upon but there were no 
significant changes made to the Plan as a result of this. The 
Commissioner had provided an introduction and a more up to 
date version of the ICO Plan would come to Executive Team 
in a week’s time for clearance. It would then be published. 


7:2: The budget had been sent to the Ministry of Justice 
(MOJ). Confirmation of grant in aid was still awaited. The 
budget assumed grant in aid as this year, but given the 
pressure on MOJ budgets there might be a reduction asked 
for. 


. Outstanding audit recommendations 


8.1. The Committee noted that there were no outstanding 
internal audit recommendations and commended the ICO for 
clearing recommendations quickly. 


8.2. There was one outstanding external audit 
recommendation that had a clearance date beyond year end. 
BDO was asked whether this would result in an adverse 
opinion from the NAO. 


8.3. The delay in clearing the recommendation was due to 
clearance being linked to the introduction of phase 2 of the 
finance system. BDO did not consider that the fact that the 
recommendation had not been actioned by year end would 
impact on the NAO’s opinion as there was good reason for 
the delay. 


. Internal audit 


Audit update report 


9.1. Grant Thornton reported that they had completed the 
majority of the audit plan for 2014/15 having spent a total of 
39.5 days to date. The audits had gone well and Grant 
Thornton would complete the audit plan on schedule. 


Internal audit review — Corporate and financial planning 


9.2. Grant Thornton had looked at the ICO’s corporate and 
financial planning processes and was comfortable with the 
way the ICO undertook its planning. There was one medium 
recommendation relating to the objectives in the ICO Plan 
being SMART. Other recommendations were low or for 
improvement. 


9.3. In respect of the SMART recommendation the 
Committee questioned what steps were being taken to ensure 
the ICO Plan objectives were SMART. Peter Bloomfield 
advised that whilst not all of the ICO’s objectives could be 
SMART much had been done over the last few years to 
ensure that more objectives were measurable. Senior 
managers had been reminded of the need for SMART 
objectives, and the drafting process had been used to clarify 
measures and their timescales where appropriate. 


Internal audit plan 2015/16 


9.4. The internal audit plan for 2015/16 had been discussed 
with senior managers at the ICO and had been considered by 
Executive Team. There was a focus on staff engagement, and 
consideration of (amongst other things) new finance system 
benefits realisation, IT service delivery, external liaison and 
policy issues (to be renamed “external engagement and 
communications”) and core operations. 


9.5. It was noted that the reviews totalled 86 days. The 
intention was to prioritise, although it was also suggested 
(and accepted) that working up the plan over two years was 
a sensible option. 


Action point 4: Simon Entwisle with Grant Thornton to 
re-constitute the internal audit plan over two years 
and to seek agreement of the Audit Committee 
members to the new plan by email. 


9.6. The balance of senior staff days proposed in the audit 
plan was queried. It was confirmed that the ICO had asked 
for greater senior management involvement where 
appropriate. However Grant Thornton would review the 
balance. 


10. External audit 


10.1. BDO introduced the Audit Progress Report on the 2014- 
15 financial statement audit. Key findings from work to date 
were highlighted on page 3. These were: 


10.1.1. variances in payroll above tolerances; 


10.1.2. difficulty in placing reliance on sample checks the 
ICO has already done on regularity of fee payments; and 


10.1.3. The off setting of conference income against 
expenditure. It ought to be classified as income. 


10.2. The additional payroll checking work and work arising 
from moving to a new finance system necessitated the 
increase in fee detailed in the report. It was agreed that this 
was a one off increase and was not rolled forward into the 
base audit fee. 


11. ICO annual report and accounts 


11.1. Peter Bloomfield introduced this item. The timetable had 
been compressed by two weeks to bring forward the laying of 
the Annual Report and Accounts. This had been achieved by 
arranging for the document to be designed by a private firm. 
The NAO had been consulted over the timetable. 


11.2. The draft Governance Statement and ICO Audit 
Committee Annual Reports had been developed using the 
previous year’s versions as a template. It was confirmed that 
this approach was appropriate. 


11:3: In terms of clearance by Management Board the main 
focus of the process was on the Commissioner as corporation 
sole, but it was the intention to ensure that the Non- 
executive Directors as well as Audit Committee and the 
Executive Team were involved in the development of the 
Annual report and Accounts. 


Action point 5: Peter Bloomfield to ensure that the 
timetable and policy and procedure reflected the 
involvement of the Non-executive Directors in the 
development of the Annual Report and Accounts. 


12. Fraud, whistleblowing and security incidents 


12.1. Peter Bloomfield presented the Fraud, Whistleblowing 
and Security incidents report for the last quarter. 


12.2. The NAO was concerned about having formal 
involvement in the ICO’s internal assurance processes. This 
concern was noted and it was agreed to remove the NAO 
from the various policies and procedures as being a formal 
point of contact for the reporting of issues. 


Action point 6: Peter Bloomfield to revise the various 
policies affected to reflect the position of the NAO. 


13. Register of interests format 


13.1. Peter Bloomfield presented a paper outlining possible 
changes to the register of interest which was completed by all 
Management Board members. 


13.2. The view of the Committee was that in general, whilst 
(for example) where pensions were held ought to be noted, 
details of private investments need more security. 


Action point 7: Peter Bloomfield to consider the 
register of interests in light of the comments made. 
14. Any other urgent business 
14.1. There was no any other business. 


15. Review of publication of papers 


15.1. It was agreed that Peter Bloomfield would confirm 
publication of papers by correspondence. 


